Facing intense criticism, anti-virus software maker Avast on Thursday said it will shut down Jumpshot, its data collecting side business. The Avast subsidiary has been funneling to marketers detailed internet browsing activity from the firm's security products and browser extensions.

Prague-based Avast, founded in 1988, is one of the most popular providers of free anti-virus software, with 435 million users of its products, which include software from AVG, a security company it acquired in 2016.

But an investigation by Vice's Motherboard and PCMag discovered that Avast was using its large installation base to collect users' browsing histories, details of online purchases and even search engine queries, and then selling this data to third parties via Avast's Jumpshot arm.

Avast had promised that any collected data would be anonymized and user privacy preserved. It had said it would strip out email addresses and personally identifiable information before selling the data to third parties. But Motherboard and PCMag found that the scrubbed browsing data being sold could still be used to identify specific individuals, thus invalidating Avast's privacy assurances.

An excerpt from Jumpshots's website promoting its tracking capabilities

The finding echoes what many privacy and security experts have long warned about attempts to deanonymize data sets: Even data that has been purportedly made anonymous can still often be linked back to individual users.

The situation also highlights a continuing gulf between increasingly strict data protection regulations and user expectations. Avast maintains that it and Jumpshot are compliant with the EU's General Data Protection Regulation. But when the company's data collection operations were laid bare, an outcry ensued.

Avast CEO Ondrej Vlcek, who started as CTO and COO with the company in Prague in 2014, apologized to users.

"Protecting people is Avast's top priority and must be embedded in everything we do in our business and in our products," Vlcek writes. "Anything to the contrary is unacceptable."

'Every Search, Click and Buy'

Jumpshot is a subsidiary of Avast that it acquired in 2013. Jumpshot started as a tool to optimize computers, cleaning junk files and "tuning" PCs. This category of applications is often watched by security researchers with intense scrutiny, because they have often displayed shady behavior, leading to some being classified as "potentially unwanted programs" by other security vendors.

According to Jumpshot's website, the software evolved, adding tracking tools that could collect search data, click data and purchase data from 150 websites, including Amazon Google, Netflix and Walmart. One of Jumpshot's promotional tags reads: "Examine every search, click and buy. On every site."

Jumpshot's customers included Google, Trip Advisor, Conde Nast and Unilever, according to its website. Its partners also included such prominent web-tracking companies as Quantcast, Kantar Media, Lotame, Neustar, LiveRamp and Connexity.

Avast wrapped Jumpshot into both its Avast and AVG anti-virus products, as well as browser apps. The security software vendor also offered a series of security extensions that contained Jumpshot. The tracking capabilities were further woven into Web Shield, an Avast tool that protects people from malicious domains by checking URLs and alerting users if they're malicious.

Until July 2019, users were automatically enrolled in Jumpshot. In that month, however, Avast changed the default settings in its software, so that users had to actively opt in to having their personal data get collected. Avast also began querying users of its free anti-virus products about whether they wanted to share their personal data or not.

In October 2019, Wladimir Palant, one of the creators of the popular AdBlock Plus extension for browsers, wrote that the Avast extensions and browsers connected to Jumpshot were collecting extensive web browsing history from users, without clearing notifying them that it was doing so.

Palant maintained that the data collected went far beyond just what sites a person visited; it also tracked how many tabs were open in a browser, how often a site was visited, how long the person visited a site and what regions they clicked on different pages.

"All that is connected to a number of attributes allowing Avast to recognize you reliably, even a unique user identifier," Palant warned.

There is a considerable body of evidence suggesting that #Jumpshot was selling data of #Avast users without any aggregation, despite Avast claiming the opposite. And their anonymization approach is inherently incomplete. https://t.co/FNSXb1NA8V

Such revelations led some browser makers to crack down. By December 2019, Mozilla began blocking four Avast browser extensions, including Avast Online Security, AVG Online Security, Avast SafePrice and AVG SafePrice, PCMag reports. Opera soon followed suit. Subsequently, Sen. Ron Wyden, D-Ore., a strong consumer privacy advocate, said via Twitter that he planned to query Avast about its business practices.

The investigation revealed that after tracking data got fed to other companies, such as Amazon, they could use the data to identify the individual user, based on the purchase they'd made. In addition, URLs can contain identifying data that isn't necessarily PII on its own, but which can still be identifying, for example, because they lead to comments on videos or tweets.

Anti-Virus Market Pressure

Why did Avast begin collecting detailed browsing data in 2015? The company explained its rationale in a May 2015 blog post, when it began to roll out Jumpshot.

Vince Steckler retired as the CEO of Avast in 2019 after serving in the role for 10 years. (Photo: ISMG)

"Currently we do not make any money from this relationship, but it is an experiment as to whether we can fund our security products indirectly instead of nagging our users to upgrade," Vince Steckler, Avast's CEO at the time, wrote in the blog post.

Avast went public in May 2018.

The consumer anti-virus market remains an extremely competitive business. Many AV companies have long offered a less-featured free product in hopes that consumers would upgrade to a subscription-based product.

Steckler assured users that the 150 billion URLs collected each month would be cleansed of personally identifiable data before the data was passed on from Avast's servers.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;